USGIF GotGeoint BlogUSGIF promotes geospatial intelligence tradecraft and a stronger community of interest between government, industry, academia, professional organizations and individuals focused on the development and application of geospatial intelligence to address national security objectives.

June 12, 2017

At GeoBusiness 2017 in London, Hugh Boyes, a Cyber Security specialist outlined some of the security risks of digital engineering and the importance of cybersecurity for engineering projects. BIM models, floorplans and 3D LiDAR scans of sensitive buildings and infrastructure can often be found on the web. He mentioned the floorplan of a major police station, a BIM model of a young offenders facility, and a BIM model of the Victoria Underground station. All of these could potentially be very useful to anyone interested in disrupting infrastructure. It is well-known that mapping underground infrastructure reduces risk during construction and also during disasters, natural and man-made. However, it can also provide information about sensitive infrastructure. Hugh mentioned substations as particularly sensitive elements of the energy grid. With traditional centralized generation, substations are critical elements of the grid and are particularly vulnerable. In many countries disrupting a small number of large substations can leave significant parts of the country without power. (An advantage of a decentralized grid comprised of many microgrids with their own generating and storage facilities is that it is much less vulnerable.)

For people who are designing and building sensitive infrastructure using BIM, he recommended following the PAS1192-5 guidelines and incorporating security into the design from the start. PAS 1192-5 specifies processes which will assist organizations in identifying and implementing measures to reduce the risk of loss or disclosure of information which could impact the safety and security of personnel and users of infrastructure or the built infrastructure itself. PAS 1192-5 is applicable to any built asset or portfolio of assets which is deemed sensitive. It is for use by asset owners and organizations involved in the design, construction, maintenance and management of built assets, especially those who wish to protect their commercial information and/or intellectual property. Hugh is the joint technical author of BS PAS1192-5 - Specification for security-minded building information modelling, digital built environments and smart asset management.

May 28, 2016

Electric Choice has created a compilation of Clinton and Trump's announced positions on energy and related policies. Some of the highlights:

Hillary Clinton

Nuclear Power: Clinton is an advocate for advanced nuclear power and the expansion of successful initiatives such as, ARPA-e.

Renewable Energy: Become a leader in the fight against climate change via installation of solar panels and the production of enough clean energy to power every home in the United States (within 10 years). Her clean energy plan is focused on generating new economic investment opportunities that will help to create paying jobs nationwide.

Energy Waste: Reduce energy waste by a third to make manufacturing in the United States cleaner and more efficient. Specifically mentions

Improving building codes and standards

Energy transparency

Continued support of appliance energy standards and labels

Energy Infrastructure: Upgrade the United States energy infrastructure by modernizing the pipeline system, increasing rail safety and enhancing grid security. Create a new Presidential Threat Assessment and Response Team to help state, local officials, and the energy industry to handle cyber security threats using new improved technologies.

Donald Trump

Coal: Trump plans to revive the coal mining industry by helping to get coal miners back to work.

Oil & Gas: Has previously stated his support for fracking as a way to end America’s dependence on imported oil.

Nuclear Power: Strongly in favor of nuclear energy, but the United States needs to put the proper procedures in place to ensure its continued safety.

Energy Infrastructure: Plans to rebuild America’s infrastructure on time and on budget, but has not yet defined a plan for how this will improve the United States energy industry infrastructure.

February 05, 2015

At DistribuTECH 2015, Raiford Smith of CPS Energy and Jason P. Handley of Duke Energy, presented their perspectives on the smart grid; what is motivating it in terms of business and technology drivers, a roadmap for implementing it at their utilities, and the benefits that are expected from it for customers and for utilities. They also outlined a smart grid architecture based on open standards to enable seamless interoperability that enables distributed as opposed to centralized intelligence. Some of the advantages of a distributed architecture are scalability, reduced latency and implementing security at the grid edge instead of via the central control application.

Megatrends driving smart grid

Raiford Smith sees four major megatrends that are major motivating forces behind the smart grid. Moore's Law means there are intelligent devices for power networks with greater capabilities and at less cost. Metcalfe's Law means more interconnections and greater interoperability. Big data analytics means the ability to extract more meaningful information and insights from rapidly increasing volumes of data coming from thousands and even millions of intelligent devices. Distributed energy generation (DER) means more complicated power management - balancing intermittent generation and new load profiles from an increasing number of new electronic devices.

From a business perspective a major benefit is greater customer choice. In the future the customer will be able to not only manage his/her consumption of power, but also its generation. With rooftop solar PV and batteries the customer may elect to not even be on the grid, but to create his/her own microgrid. But it also means the utility business model will have to evolve from what it has been for the past 100 years. New York is one of the jurisdictions that is already changing its regulatory framework to enable utilities to move to a new business model.

Microgrids

As an aside, at this year's DistribuTECH if there was one technology that seemed to be everywhere and on almost every utility's radar, it is microgrids. Duke Energy is even playing with the idea of offering microgrids as a service.

Technology roadmap for the smart grid

From Raiford Smith's perspective the technology roadmap for the smart grid involves the deployment of increasing numbers of intelligent electronic devices for sensing and for control. The challenge is federating the data from all of these devices, extracting information from it, and dispatching the information to the right control devices. From an architectural perspective this drives the need for a field message bus which enables interoperability between different devices from different vendors. It also requires a common semantic model, such as the Common Information Model (CIM), adding security at the edge of the grid in addition to the central control room, and analytics to extract information from the huge volume of data collected from the sensors.

To test different smart grid configurations, CPS Energy is assembling a test facility for a three year smart grid testing program. It will have 30,000 customers, 15 circuits, solar generation, smart inverters, battery storage and the ability to disconnect from the grid to form a microgrid.

Benefits of the smart grid

Raiford expects major benefits for customers and for the utility from implementing a smart grid. For customers, perhaps the biggest benefit is that the smart grid avoids divergence of utility services and customers needs. Sometimes referred to as disaggregation, in this context it means a 3rd party coming between a utility and its customers. Historical examples are Microsoft Hohm and Google Powermeter which were perceived as threats because utilities found the idea of a Microsoft or Google insinuating itself between the utility and its customers unattractive. Opower is an example of a different approach that is much more attractive to utilities. Instead of doing an end-run around the utility, Opower focussed on the utility as their direct customer. Services using Opower's solutions is then offered by the utility to its customers.

Secondly, smart grid provides a flexible foundation for providing new services to customers (which also creates new sources of revenue for utilities). Raiford suggested some examples including electric vehicles and charging, premium (high quality) power, premium reliability, and asset control (for ex, inverters and batteries) and advanced demand response (the utility would provide these as a service to customers, rather than customers buying these devices from a 3rd party). The result is greater customer satisfaction and improved brand recognition as CPS Energy is perceived as a leader in providing new and improved services to customers.

Probably the greatest challenge Raiford sees is managing organizational change, because the smart grid will mean that just about everything will change including the utility business model and most aspects of how we design, build, maintain and operate the grid.

Drivers for utility industry change

Jason Handley, of the Emerging Technology Office at Duke Energy, reviewed some of the major drivers for industry change. Many applications currently used by power utilities are proprietary, with the result that the utility has many application silos that don't interoperate. The rapid adoption of DERs is requiring utilities to move toward faster response times, reduced costs, better safety, and improved reliability. Dynamic load management and low voltage power electronics will mean greater adoption of rooftop PVs and other DERs. Increasingly utilities will invest in standards-based, modular systems for hardware, multi-function devices, and a field message bus for software that will enable interoperability. From a business perspective broader interoperability facilitates more competition which lowers costs, encourages innovation and improves reliability.

Other important drivers that Jason sees that are impacting utilities include demand response, electric vehicles, in-premise automation, cybersecurity threats, aging infrastructure, big data complexity, and avoiding stranded assets. The smart grid is requiring utilities to change how they do things. Utilities realize they have to be more proactive in their operations, rather than waiting for something to happen and then reacting to it. Situational awareness has become a critical capability for utilities in enabling utilities to be more proactive. It is made possible by having a variety of sensors in the field that together can present a snapshot of the status of the grid. The key functionality required to enable this to happen is seamless interoperability.

Centralized or distributed intelligence

As utilities implement thousands and even millions of smart devices in the field, a centralized architecture runs into scalability and latency problems. Duke's solution is an architecture with distributed as opposed to centralized intelligence. Duke sees this as comprised of layers so that with this architecture, not all data needs to go to the central control application. Some can be handled at lower levels. A self healing network is an example where a problem can be handled locally without the central control application knowing anything about it. Distributed intelligence also enables fast edge decisions that can be made without waiting for the central control application. For example, an advantage that cannot be underestimated with this architecture is that it enables security at the edge of the grid, not just via the central control application. Based on this concept Duke has defined a Distributed Intelligence Platform (DIP) Reference Architecture designed to take advantage of the tremendous intelligence that is out in the field in addition to the intelligence in the control centre.

Duke Energy, CPS Energy and 25 vendors, called the Coalition of the Willing (COW) have just embarked on an implementation of this architecture that supports a microgrid. The smart grid requires exchanging data between different devices from different manufacturers in the field. Traditional utility technologies are very often vendor silos utilizing proprietary hardware, telecommunications and software platforms. The goal of the “Coalition of the Willing" (COW) is to demonstrate that data and control commands can be shared across multiple vendor platforms (typically proprietary) to achieve interoperability with lower costs and faster response times. A key part of the demonstration is an open standard field message bus implemented as an open source project. The Smart Grid Interoperability Panel (SGIP) has created an OpenFMB working group to support this effort.

August 27, 2014

Globally, smart grid technology has emerged to help utilities deal with challenges such as increased reliability, the need to reduce non-technical losses, distributed renewable generation, and electric vehicles, but for small to medium utilities, access to IT resources limits their ability to implement smart grid solutions. Back in 2010 McKinsey was already seeing AMI vendors starting to look at options for providing AMI services using a "software as a service" model. Now power industry IT vendors and service providers are increasingly offering managed services solutions, referred to as smart grid as a service (SGaaS).

I blogged previously about Burlington Hydro, a small utility in an affluent part of southern Ontario that is integrating into an intelligent network many aspects of what is typically included in smart grid including intelligent network devices, self healing networks, smart meters, distributed generation, electric vehicles (EV) , factory ride-through systems (enables factories to continue functioning through outages), battery-based electric storage, bidirectional communications network linking the intelligent devices to the control center, and dramatically increased volumes of real-time data. Burlington Hydro has been working with a local IT consulting company AGSI to develop systems to manage their smart grid deployment in a real-time, big data IT environment. But what about small utilities who don't have the in-house skills or the revenue stream to support bringing in an outside IT consulting company ?

What struck me as as so unique about what Terraspatial offers and which is so valuable to small utilities is that it is a hosted solution. Basically, all the utility needs to install at its site is a browser, everything else is running in the cloud. The most important benefit of a hosted solution like this is that it has the potential to provide a high level of IT security without the need to increase the level of IT capacity that the utility needs to maintain in house.

Terraspatial's hosted solution is called PlantWorx for electric power utilities. The design goals of the solution that Terraspatial developed are very relevant to small utilities.

Hosted, which means that the utility does not need to own or manage servers or software.

Secure because it relies on the security of a major cloud hosting provider such as Rackspace or Amazon that can provide a level of security, including protection from internal tampering, role-based access by users, protection from external threats, the latest encryption, redundancy and back-ups, ISO certified data centers, and mirrored servers for persistent backup, in other words a much higher level of security than the average utility network is capable of.

Accessible from the office and the field

Integrated solution that supports staking through to accounting and reporting with interfaces to CAD, GIS, customer information systems, accounting and billing systems, materials management, and other systems

Now according to Navigant Research the growth in cloud-based services has increased the awareness of SGaaS. Offerings are available for a host of smart grid applications in several categories, including home energy management (HEM), advanced metering infrastructure (AMI), distribution and substation automation (DA and SA) communications, asset management and condition monitoring (AMCM), demand response (DR), and software solutions and analytics.

The complexity of smart grid deployments, systems integration, spatial analytics, real-time big data and cyber security and limited internal IT capacity are some of the drivers behind a growing market for SGaaS. Navigant Research forecasts that the global SGaaS market will grow from just under $1.7 billion in 2014 to more than $11.1 billion in 2023.

July 05, 2014

A cyberespionage attack, identified by Symantec as Dragonfly, has targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers located primarily in the United States, Spain, France, Italy, Germany, Turkey, and Poland. According to Symantec, the attackers used the malware only to spy on system operations, but could have used the remote-access functionality to cause serious damage if they had decided to. With infections reaching 1,018 organizations across 84 countries, ranging from grid operators to gas pipelines, the scope of the damage would have been considerable.

Symantec reports that the Dragonfly group is well resourced and is capable of launching attacks through a number of different vectors. Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is able to mount attacks through multiple vectors and compromise numerous third party websites in the process. Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyberespionage, with potential for sabotage a definite secondary capability.

Analysis of the compilation timestamps on the malware used by the attackers indicate that the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9am to 6pm working day in the UTC +4 time zone. Based on this information, it is likely the attackers are based in Eastern Europe.

The Dragonfly group has used at least three infection tactics against targets in the energy sector.

The earliest method was an email campaign, which saw selected executives and senior employees in target companies receive emails containing a malicious PDF attachment. Infected emails had one of two subject lines: “The account” or “Settlement of delivery problem”. All of the emails were from a single Gmail address. The spam campaign began in February 2013 and continued into June 2013. Symantec identified seven different organizations targeted in this campaign. The number of emails sent to each organization ranged from one to 84.

The next method involved watering hole attacks, comprising a number of energy-related websites and injecting an iframe into each which redirected visitors to another compromised legitimate website hosting the Lightsout exploit kit. Lightsout exploits either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim’s computer. The fact that the attackers compromised multiple legitimate websites for each stage of the operation is further evidence that the group has strong technical capabilities.

The most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software packages. Three different ICS equipment providers were targeted and malware was inserted into the software bundles they had made available for download on their websites. All three companies made equipment that is used in a number of industrial sectors, including energy.

The Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the group found a “soft underbelly” by compromising their suppliers, which are invariably smaller, less protected companies.

To counter this type of threat it has been recommended that utilities should be spending 15-20% of their IT budget on cybersecurity.

March 18, 2014

Last year I blogged about a report on grid cybersecurity that was released by US Representatives Ed Markey and Henry Waxman. The U.S. bulk power system is relied on by 300 million people and is comprised of 200,000 miles of transmission lines and about a thousand gigawatts (GW) of generating capacity. It is valued at over $1 trillion. Most of the bulk power grid is owned and operated by private companies, municipally- and coop-owned utiltiies.

The report makes the case that the components of the grid are highly interdependent. An outage in one area can lead to cascading outages in other areas. The classic example occurred in 2003 when four high voltage power lines in northern Ohio brushed trees and shut down. A computer system error caused a cascade of failures that left 50 million people without power for two days across the United States and Canada and cost the economy an estimated $6 billion.

This report makes the case that grid vulnerabilities pose substantial risks to U.S. national security. It cites a 2008 report by theTask Force on Department of Defense (DOD) Energy Strategy that said that “critical missions . . . are almost entirely dependent on the national transmission grid." About 85% of the energy infrastructure upon which DOD depends is commercially owned, and 99% of the electricity DOD consumes originates outside of DOD. In most cases, neither the grid nor on-base backup power provides sufficient reliability to ensure continuity of critical national priority functions and oversight of strategic missions in the face of a long term (several months) outage. An October 2009 report by the Government Accountability Office said that 31 of DOD’s 34 most critical global assets rely on commercially operated electricity grids for their primary source of electricity.

I remember a startling statistic in an Energy Information Adminstration (EIA) publication that the failure of 4% of U.S. substations would result in 60% of the U.S. losing power. The Markey and Waxman report also cites a declassified National Academy of Sciences report that found that physical damage to large transformers could disrupt power to large regions of the country and take months to repair.

Last Thursday the Wall Street Journal published an article citing "a previously unreported federal analysis." The article said that

"The study by the Federal Energy Regulatory Commission concluded that coordinated attacks in each of the nation's three separate electric systems could cause the entire power network to collapse, people familiar with the research said.

"The U.S. could suffer a coast-to-coast blackout if saboteurs knocked out nine of the country's electric-transmission substations on a summer day, according to a previously unreported federal analysis.

"A small number of the country's substations play an outsize role in keeping power flowing across large regions. The FERC analysis indicates that knocking out nine of those key substations could plunge the country into darkness for weeks, if not months."

The Acting Chairman Cheryl A. LaFleur of FERC issues a statement in response to the Wall Street Journal Article About Grid Security.

"We take seriously our obligation to the American people to protect the reliability and security of our nation’s energy infrastructure and to enhance its resilience. Experts from FERC and other federal agencies work continuously with the electric industry to assess the threats posed by physical attacks, cyber intrusions, and severe weather; perform sophisticated modeling to identify and address vulnerabilities; and provide advice on security techniques and best practices. FERC also oversees mandatory reliability standards for the electric industry, including cyber security standards and standards that require planning for contingencies and emergency operations. On Friday, March 7, 2014, FERC ordered mandatory standards to protect critical facilities from physical security threats and vulnerabilities. At the same time, no single action or approach is sufficient. Building a resilient grid requires a comprehensive and ongoing assessment of how the system is planned, constructed, operated, and secured under a range of conditions.

"Today’s publication by The Wall Street Journal of sensitive information about the grid undermines the careful work done by professionals who dedicate their careers to providing the American people with a reliable and secure grid. The Wall Street Journal has appropriately declined to identify by name particularly critical substations throughout the country. Nonetheless, the publication of other sensitive information is highly irresponsible. While there may be value in a general discussion of the steps we take to keep the grid safe, the publication of sensitive material about the grid crosses the line from transparency to irresponsibility, and gives those who would do us harm a roadmap to achieve malicious designs. The American people deserve better."

January 24, 2014

Massachusetts has not been among the states that have led the smart grid revolution in the United States. In September 2012 National Grid began a small smart grid pilot involving 5,000 meters in Worcester, Massachusetts. National Grid is expanding this to 15,000 customers to evaluate integrating home automation, dynamic pricing and distribution automation. At this point Massachusetts looks like a late adopter, but this is set to change. The Massachusetts Department of Public Utilities (DPU) has decided to aggressively accelerate the deployment of smart grid technologies in the state.

Background

DPU is responsible for ensuring that electric distribution companies provide safe and reliable electric service to customers and expand the deployment of clean energy technologies. As part of that mandate In October, 2012, the DPU issued a Notice of Investigation (“NOI”) into the modernization of the electric grid with the goal of developing policies to ensure that electric distribution companies adopt grid modernization technologies and practices. The expected benefits of grid modernization include improved reliability, reduced operating costs, reducing rate increases and volatility for customers, and empowering customers to better manage their use of electricity. The NOI also specifically mentions increasing the resiliency of the grid in response to "increasingly extreme weather". Other benefits of grid modernization that the DPU foresees include providing support for energy efficiency, demand response, distributed generation, storage, electric vehicles (“EVs”), and renewable energy resources.

In November 2012, the DPU organized a workshop attended by over 125 stakeholders which resulted in the formation of a Working Group tasked with providing input to the DPU on approaches to grid modernization over the short, medium, and long terms and with helping the DPU in prioritizing grid modernization investments.

This report explicitly identifies what it calls network system enablers, enterprise systems that it considers essential for implementing a smart grid. These include GIS in addition to Distribution Management System (DMS)/SCADA, Outage Management System (OMS), Billing System, Metering System and Meter Data Management System (MDMS), and Communication Systems (Fiber, Microwave, Radio, etc.).

The report sees the role of GIS as the repository for asset information. It feeds system planning models, system operations models, outage management models and work-order/financial systems and can also

Based on the report the DPU established four grid modernization objectives; reduce the effects of outages; optimize demand (which includes reducing system and customer costs); integrate distributed resources, and improve workforce and asset management.

The DPU then proposed requiring each electric distribution company to develop and submit to the DPU a ten-year strategic grid modernization plan within six months. The GMPs must lay out plans to make measureable progress towards all of these grid modernization objectives.

Smart grid priorities

In its first GMP each power utility must include a comprehensive plan for advanced metering (CAMP). The DPU is prioritizing advanced metering because it sees AMI as a basic platform upon which grid modernization will be developed. It is being very aggressive in mandating completion of the rollout of AMI with three years of the DPU's approval of each company's GMP. To support this effort the DPU has already developed a regulatory framework specifically targeted on advanced metering.

The DPU has identified its next top priorities;(1) time varying rates (time-of-use rates)(2) cybersecurity, privacy, and access to meter data(3) electric vehicles.

November 08, 2013

At the inaugural meeting of the Smart Grid Interoperability Panel (SGIP), Dave Wolman of NIST announced that the next NIST Framework and Roadmap for Smart Grid Interoperability Standards 3.0 will be released in December for public comment. I've blogged about the 1.0 and 2.0 releases previously.

Some the important changes are

Architecture - reflects input from the E.U. which is heavily focused on integrating dustributed generation

October 25, 2013

In light of President Obama's recent Executive
Order on cybersecurity for critical infrastructure, security has become
even more critical and most utility folks realize that utiltiies need to get very serious about it. The Cooperative Reserach Network has developed a guide on cybersecurity for utilities. And a new security standard for MultiSpeak was released in
January 2013 that goes beyond secure sockets (SSL) and transport layer
security (TLS) and implements message-level security.

If you haven't paid much attention to cybersecurity for utilities, a recent article about a gaping hole that would allow intruders to crash substations provides serious motivation to take cybersecurity more seriously.

A few months ago, two engineers, Adam Crain of Automatak and independent researcher Chris Sistrunk, discovered a potentially catastrophic vulnerability in the electric grid. They found that a flaw in multiple vendors' software that is used to monitor substations makes it easy for an internet intruder to disable substation monitoring and potentially cause a widespread power outage.

The engineers developed a program specifically to check for vulnerabilities in implementations of a widely-used communications protocol DNP3 that plays a crucial role in SCADA systems, where it is primarily used for communications between SCADA control centers, Remote Terminal Units (RTUs), and Intelligent Electronic Devices (IEDs). DNP3 allows remote substations to be monitored from a control center.

The first DNP3 program they targeted belonged to Triangle MicroWorks, which provides a DNP3-based data gateway for SCADA sytems. They found that Triangle was vulnerable to break in. They checked other vendors and found that they could successfully break into16 different SCADA vendors. They sent a detailed report to the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The research showed that some implementations were third-party components in other software packages. This vulnerability can be exploited remotely (over an IP-based implementation) as well as from the local system (through a serial-based implementation).

The engineers then checked other vendors and discovered that they could break into nine other vendors' systems. The vendors impacted are by what ICS-CERT calls the "DNP3 IMPROPER INPUT VALIDATION VULNERABILITY" are Alstom, IOServer, Kepware Technologies, MatrikonOPC, Schweitzer Engineering Laboratories, Software Toolbox, SUBNET Solutions Inc., and Triangle MicroWorks.

Inruders can

put either the master
station or an outstation/slave into an infinite loop or Denial of Service condition by
sending a specially crafted TCP packet from the master station or from an outstation on an
IP-based network. If the device is connected via a serial connection,
the same attack can be accomplished with physical access to the master
station or outstation. The device must be shut down and restarted manually to reset the loop
state. The IP-based vulnerability could be exploited remotely, but the serial-based vulnerability is not exploitable remotely. Local access to the serial-based outstation is required.

The result is that this type of attack prevents operators from seeing what is going on in substations.

It seems that this type of attack is difficult to prevent. Traditional firewalls are not designed to stop this type of intrusion because they have to let DNP3 traffic through. ICS-CERT recommends a virtual private network (VPN). Also apparenlty current cybersecurity regulations don't cover serial communications, even though serial communications are commonly used in substations especially with older equipment.

October 09, 2013

There is no federal law on this issue and the state laws that do
exist are patchwork of different standards and requirements. According to
datalossdb.org, in order to request data breach notification reports from governments,
several critieria need to exist.

The state must have Freedom of
Information or Open Records legislation.

The state must have Breach
Notification legislation

The state must require notifications to a
centralized authority (like an Attorney General, or a Consumer
Protection division).

At this time, only 12 states (Hawaii, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, South Carolina, Vermont, and Virginia) meet the
requirements for gathering primary sources. 35 states have data loss
notification legislation, but no centralized reporting. For example, even California which pioneered legislation on data loss reporting has no centralized data loss incident reporting. 4 states have no
data loss notification legislation.